In the PUR it states that External User Access is licensed with Server. That looks simple enough, but what about this:

Under Additional Terms it states:

CAL Waiver for Users Accessing Publicly Available Content

CALs are not required to access content, information, and applications that you make publicly available to users over the Internet (i.e., not restricted to Intranet or Extranet scenarios).

This term might appear to limit the External User access right. Why else exclude Extranet scenarios from the CAL waiver? Doesn’t it appear to say in the above that content that is restricted to Intranet or Extranet scenarios does require a CAL? In other words, the PUR appears to be implying here that Extranet users require CALs, just as Intranet users do. As I read this Additional Term it means that the only circumstance in which no CALs are needed for external users is when all of the content is publically available.

However, the Microsoft Licensing Brief published in January 2013 http://www.microsoft.com/licensing/about-licensing/briefs/SharepointServer2013.aspx, contradicts this reading. In the Extranet scenario it states: The identifiable external users (educators from other universities) who are permitted to access otherwise restricted content inside the firewall do not require SharePoint CALs, because external user access is permitted under the server license.

Exchange Server 2013 also includes External User Access licensed with the server. But again there is an Additional Terms section which limits the applicability of the general condition. In this case external users must not authenticate via AD or Lync Server.

If we set the CAL waiver aside as a (temporary) distraction, then we could interpret the Licensing Brief consistently with the PUR as follows:

Private SharePoint sites require CALs for internal users (staff, onsite contractors) but not for external users (non-staff, but authenticated). This applies to Intranet and Extranet scenarios.

Public SharePoint sites don’t require CALs since, by definition, all information is publically accessible and users are not identified or authenticated.